Microsoft is rolling out two new administrative roles within it’s Entra ID platform, impacting how organizations manage Teams collaboration and password migration. The changes, announced in early February 2026, offer granular control but come with some caveats for administrators.
New Roles Enhance Control, Demand PowerShell Expertise
These new Entra admin roles provide more focused permissions for managing external collaboration in Teams and streamlining password migration to Microsoft Entra External ID.
- The Teams External Collaboration Administrator role manages external access policies for federated domains.
- This teams role is exclusively managed through PowerShell,with no access to the Teams admin center portal.
- The Authentication Extensibility Password Administrator role facilitates Just-In-Time (JIT) password migration to Microsoft Entra External ID.
- JIT migration leverages custom authentication extensions for credential validation.
- Both roles are newly released and may take time to fully activate across all tenants.
For organizations heavily reliant on microsoft teams, the Teams External Collaboration Administrator role offers a dedicated avenue for controlling external access. Specifically,this role manages external access policies,including those defined at ams/policies/externalAccessPolicy/allTasks.
Password Migration Gets a Dedicated Role
The second new role, Authentication Extensibility Password Administrator, addresses a more specialized need: implementing Just-In-Time (JIT) password migration. This process is designed to move user credentials from legacy identity providers to Microsoft Entra External ID, which is currently in Public Preview.
JIT migration works by invoking a custom API during the sign-in process to validate user credentials against the legacy identity provider. Microsoft Entra External ID supports this process by using custom authentication extensions to facilitate the integration. these extensions allow you to define custom logic that runs during the authentication process, enabling you to interact with external systems and perform more processing as part of the sign-in flow. … The Authentication Extensibility Password Administrator role gives you the necessary permissions to create and manage custom authentication extensions for password migration.
Essentially, this role empowers administrators to create and manage the custom authentication extensions crucial for password migration.It’s a key component for organizations looking to modernize their identity infrastructure and leverage the capabilities of Microsoft Entra External ID.
role Definition ID: 0b00bede-4072-4d22-b441-e7df02a1ef63
It’s certainly worth noting that Microsoft cautions these roles are new and may take some time to become fully active across all Entra ID tenants. Administrators should plan accordingly and monitor for full functionality.
